Debian 11 calibre DLA-4554-1 Path Traversal and File Write Risks
debian lts
April 30, 2026
Multiple vulnerabilities have been discovered in calibre, an e-book manager CVE-2025-64486 calibre does not validate filenames when handling binary assets in FB2 files, allowing an...
Topics Covered
Summary
CVE-2025-64486
calibre does not validate filenames when handling binary assets in
FB2 files, allowing an attacker to write arbitrary files on the
filesystem when viewing or converting a malicious FictionBook
file. This can be leveraged to achieve arbitrary code execution.
CVE-2026-25635
Calibre's CHM reader contains a path traversal vulnerability that
allows arbitrary file writes anywhere the user has write
permissions.
CVE-2026-25636
a path traversal vulnerability in Calibre's EPUB conversion allows
a malicious EPUB file to corrupt arbitrary existing files writable
by the Calibre process
CVE-2026-26064
a path traversal vulnerability that allows arbitrary file writes
anywhere the user has write permissions.
CVE-2026-26065
Path Traversal through PDB readers that allow arbitrary file
writes with arbitrary extension and arbitrary content anywhere the
user has write permissions. Files are written in 'wb' mode,
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: calibre
Version: 5.12.0+dfsg-1+deb11u4
CVE ID: CVE-2025-64486 CVE-2026-25635 CVE-2026-25636 CVE-2026-26064
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!